Open Source Management: Words of Advice from One Open Source Auditor to Another Part II

Open source audits are never as simple as they seem. You have successfully tackled your first open source audit and you are probably asking yourself what to do to help with future audits. The answer is: preparation.  The steps you take before you start the auditing process will make the project that much more successful. To help with future audits, let's look at a few tips and tricks you can use before you begin an audit:

  1. Know the Goals of the Audit: Knowing the goals of an audit can drastically change the way you conduct your audit.  The goals of an audit can range from discovering unknown components to generating a comprehensive list of all open source being used to ensure full license and compliance.  These different goals will change how you audit the code base, and how thorough you might be. Before any audit is conducted, there should be an internal conversation of the goals revolving around the audit, establishing a clear end goal.

  2. Go in with a List of Known Open Source: This is one of the most beneficial tips I can give you for your next audit. Before you go into your next audit, ask the developers or management who will have some knowledge of what is in the code and can help provide you the list of known open source. (Having a list of known open source used in the code will drastically help.) Chances are, if you're in the auditing process, you already have some form of internal policy (whether formal or informal) regarding open source, and are documenting what is being used.  A good place to hold information like this is in OLEX, or in a basic spreadsheet.

    1. For example, you might find yourself looking at a file where the code belongs to one of two possible packages. Let's look at a real life example, imagine one file belonging to one of two packages: one jssha256 under the GPL v2 license, and the other jssha under the BSD 3-clause license. Both of these packages look similar and perform the same functions, but are on opposite spectrums of open source licensing. Having a list of known open source could potentially help you identify which package you are looking at and avoid compliance failure. The more information you can gather about the code before you audit, the fewer headaches you'll have later.

  3. How is the Code Used: Being a computer engineer is not required in order to conduct an open source audit; however, knowing some of the basics i.e., what the build components are versus the runtime components will make your life easier.  A great deal of open source licensing revolves around how the open source is being used.  For example, is it modified, distributed, or linked to other open source? If the goal of the audit were full license compliance, then you would be interested in knowing the usage of all open source identified.

    1. Imagine you have been given an audit where the goal is full license compliance of all open source that is in the distributed software. Understanding what components are runtime versus build time will drastically cut down the amount of work required (i.e., Apache Ant [build time] vs. a Query Plug-in [runtime]).

  4. Completeness: Making sure you have all the code sounds obvious, but it can be easy to overlook something, which could prevent you from accurately reaching your goal. As you are preparing for an audit, you should ask yourself:  Have you included all of the source code, as well as the binaries?  Are there any auxiliary components, such as Maven repositories, to be looked at?

Gathering as much information as possible before an audit will only help in creating a successful audit. "Before anything else, preparation is the key to success," said Alexander Graham Bell.1 The more effort you can put into preparing for an audit, the more comfortable and successful you will be while conducting your audit.

For some helpful tips while in the auditing process, see my previous post Open Source Management: Words of Advice from One Open Source Auditor to Another. What steps do you take to prepare for your open source audit?

1 "Alexander Graham Bell." Xplore Inc, 2012. 4 December 2012.


Follow @NKnowlesGIS

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10